Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add pki_http_enable param #4508

Merged
merged 1 commit into from
Jul 20, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions .github/workflows/tps-separate-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,10 +57,19 @@ jobs:
-D pki_ds_url=ldap://cads.example.com:3389 \
-D pki_cert_id_generator=random \
-D pki_request_id_generator=random \
-D pki_http_enable=False \
-v

docker exec ca pki-server cert-find

- name: Verify there is no plain HTTP connectors in CA
run: |
docker exec ca pki-server http-connector-find | tee output

echo "Secure" > expected
sed -n -e "s/^ *Connector ID: *\(.*\)$/\1/p" output > actual
diff expected actual

- name: Install banner in CA container
run: docker exec ca cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat

Expand Down Expand Up @@ -98,10 +107,19 @@ jobs:
-D pki_ds_url=ldap://krads.example.com:3389 \
-D pki_key_id_generator=random \
-D pki_request_id_generator=random \
-D pki_http_enable=False \
-v

docker exec kra pki-server cert-find

- name: Verify there is no plain HTTP connectors in KRA
run: |
docker exec kra pki-server http-connector-find | tee output

echo "Secure" > expected
sed -n -e "s/^ *Connector ID: *\(.*\)$/\1/p" output > actual
diff expected actual

- name: Install banner in KRA container
run: docker exec kra cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat

Expand Down Expand Up @@ -135,10 +153,19 @@ jobs:
-D pki_cert_chain_path=${SHARED}/ca_signing.crt \
-D pki_admin_cert_file=${SHARED}/ca_admin.cert \
-D pki_ds_url=ldap://tksds.example.com:3389 \
-D pki_http_enable=False \
-v

docker exec tks pki-server cert-find

- name: Verify there is no plain HTTP connectors in TKS
run: |
docker exec tks pki-server http-connector-find | tee output

echo "Secure" > expected
sed -n -e "s/^ *Connector ID: *\(.*\)$/\1/p" output > actual
diff expected actual

- name: Install banner in TKS container
run: docker exec tks cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat

Expand Down Expand Up @@ -178,10 +205,27 @@ jobs:
-D pki_authdb_hostname=tpsds.example.com \
-D pki_authdb_port=3389 \
-D pki_enable_server_side_keygen=True \
-D pki_http_enable=False \
-v

docker exec tps pki-server cert-find

- name: Verify there is no plain HTTP connectors in TPS
run: |
docker exec tps pki-server http-connector-find | tee output

echo "Secure" > expected
sed -n -e "s/^ *Connector ID: *\(.*\)$/\1/p" output > actual
diff expected actual

- name: Verify there is no plain HTTP ports in security domain
run: |
docker exec ca pki-server sd-subsystem-find | tee output

echo -n "" > expected
sed -ne "/^ *Port:/p" output > actual
diff expected actual

- name: Install banner in TPS container
run: docker exec tps cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat

Expand Down
2 changes: 1 addition & 1 deletion base/common/python/pki/system.py
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ def from_json(cls, json_value):
host.Hostname = json_value['Hostname']
host.SecurePort = json_value['SecurePort']
host.SubsystemName = json_value['SubsystemName']
host.Port = json_value['Port']
host.Port = json_value.get('Port')

return host

Expand Down
2 changes: 2 additions & 0 deletions base/server/etc/default.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -258,6 +258,8 @@ pki_proxy_https_port=443
pki_security_manager=true
pki_tomcat_server_port=8005

pki_http_enable=True

# Paths
# These are used in the processing of pkispawn and are not supposed
# to be overwritten by user configuration files.
Expand Down
4 changes: 2 additions & 2 deletions base/server/python/pki/server/cli/sd.py
Original file line number Diff line number Diff line change
Expand Up @@ -176,7 +176,7 @@ def print_help(self):
print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).')
print(' --subsystem <type> Subsystem type')
print(' --hostname <hostname> Hostname')
print(' --unsecure-port <port> Unsecure port (default: 8080)')
print(' --unsecure-port <port> Unsecure port')
print(' --secure-port <port> Secure port (default: 8443)')
print(' --domain-manager Domain manager')
print(' --clone Clone')
Expand All @@ -201,7 +201,7 @@ def execute(self, argv):
instance_name = 'pki-tomcat'
subsystem_type = None
hostname = None
unsecure_port = '8080'
unsecure_port = None
secure_port = '8443'
domain_manager = False
clone = False
Expand Down
41 changes: 28 additions & 13 deletions base/server/python/pki/server/deployment/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -274,21 +274,36 @@ def create_server_xml(self, instance):
logger.info('Removing UserDatabase')
server_config.remove_global_naming_resource('UserDatabase')

logger.info('Configuring Unsecure connector')
# find default HTTP connector
connector = server_config.get_connector(port='8080')
connector.set('name', 'Unsecure')
connector.set('port', self.mdict['pki_http_port'])
connector.set('redirectPort', self.mdict['pki_https_port'])
connector.set('maxHttpHeaderSize', '8192')
connector.set('acceptCount', '100')
connector.set('maxThreads', '150')
connector.set('minSpareThreads', '25')
connector.set('enableLookups', 'false')
connector.set('connectionTimeout', '80000')
connector.set('disableUploadTimeout', 'true')
service = connector.getparent()

# get HTTP connector position
index = service.index(connector)

if config.str2bool(self.mdict['pki_http_enable']):

logger.info('Configuring HTTP connector')
connector.set('name', 'Unsecure')
connector.set('port', self.mdict['pki_http_port'])
connector.set('redirectPort', self.mdict['pki_https_port'])
connector.set('maxHttpHeaderSize', '8192')
connector.set('acceptCount', '100')
connector.set('maxThreads', '150')
connector.set('minSpareThreads', '25')
connector.set('enableLookups', 'false')
connector.set('connectionTimeout', '80000')
connector.set('disableUploadTimeout', 'true')

# add the HTTPS connector after this connector
index = index + 1

else:
logger.info('Removing HTTP connector')
service.remove(connector)

logger.info('Adding Secure connector')
connector = server_config.create_connector(name='Secure')
logger.info('Adding HTTPS connector')
connector = server_config.create_connector(name='Secure', index=index)
connector.set('port', self.mdict['pki_https_port'])
connector.set('protocol', 'org.dogtagpki.tomcat.Http11NioProtocol')
connector.set('SSLEnabled', 'true')
Expand Down
10 changes: 6 additions & 4 deletions base/server/python/pki/server/subsystem.py
Original file line number Diff line number Diff line change
Expand Up @@ -1494,7 +1494,7 @@ def add_security_domain_subsystem(
subsystem_id,
subsystem_type,
hostname,
unsecure_port='8080',
unsecure_port=None,
secure_port='8443',
domain_manager=False,
clone=False,
Expand Down Expand Up @@ -1552,7 +1552,7 @@ def join_security_domain(
sd_url,
host_id,
hostname,
unsecure_port='8080',
unsecure_port=None,
secure_port='8443',
domain_manager=False,
clone=False,
Expand All @@ -1576,10 +1576,12 @@ def join_security_domain(
'--install-token', install_token,
'--type', self.type,
'--hostname', hostname,
'--unsecure-port', unsecure_port,
'--secure-port', secure_port
'--secure-port', secure_port,
]

if unsecure_port is not None:
cmd.extend(['--unsecure-port', unsecure_port])

if domain_manager:
cmd.append('--domain-manager')

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ public void createOptions() {
option.setArgName("hostname");
options.addOption(option);

option = new Option(null, "unsecure-port", true, "Unsecure port (default: 8080)");
option = new Option(null, "unsecure-port", true, "Unsecure port");
option.setArgName("port");
options.addOption(option);

Expand Down Expand Up @@ -89,7 +89,7 @@ public void execute(CommandLine cmd) throws Exception {
throw new CLIException("Missing hostname");
}

String unsecurePort = cmd.getOptionValue("unsecure-port", "8080");
String unsecurePort = cmd.getOptionValue("unsecure-port");
String securePort = cmd.getOptionValue("secure-port", "8443");
boolean domainManager = cmd.hasOption("domain-manager");
boolean clone = cmd.hasOption("clone");
Expand Down Expand Up @@ -150,7 +150,11 @@ public void execute(CommandLine cmd) throws Exception {
attrs.add(new LDAPAttribute("cn", cn));
attrs.add(new LDAPAttribute("SubsystemName", subsystemID));
attrs.add(new LDAPAttribute("Host", hostname));
attrs.add(new LDAPAttribute("UnSecurePort", unsecurePort));

if (unsecurePort != null) {
attrs.add(new LDAPAttribute("UnSecurePort", unsecurePort));
}

attrs.add(new LDAPAttribute("SecurePort", securePort));
attrs.add(new LDAPAttribute("SecureAgentPort", securePort));
attrs.add(new LDAPAttribute("SecureAdminPort", securePort));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,12 @@ public static void printSubsystem(SecurityDomainHost host) {

System.out.println(" Subsystem ID: " + host.getId());
System.out.println(" Hostname: " + host.getHostname());
System.out.println(" Port: " + host.getPort());

String port = host.getPort();
if (port != null) {
System.out.println(" Port: " + port);
}

System.out.println(" Secure Port: " + host.getSecurePort());

if (host.getDomainManager() != null) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ public void printHelp() {

@Override
public void createOptions() {
Option option = new Option(null, "port", true, "Port (default: 8080)");
Option option = new Option(null, "port", true, "Port");
option.setArgName("port");
options.addOption(option);

Expand Down Expand Up @@ -63,7 +63,7 @@ public void execute(CommandLine cmd) throws Exception {
SecurityDomainHost host = new SecurityDomainHost();
host.setId(hostID);

String port = cmd.getOptionValue("port", "8080");
String port = cmd.getOptionValue("port");
host.setPort(port);

String securePort = cmd.getOptionValue("securePort", "8443");
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ public void createOptions() {
option.setArgName("hostname");
options.addOption(option);

option = new Option(null, "unsecure-port", true, "Unsecure port (default: 8080)");
option = new Option(null, "unsecure-port", true, "Unsecure port");
option.setArgName("port");
options.addOption(option);

Expand Down Expand Up @@ -103,7 +103,7 @@ public void execute(CommandLine cmd) throws Exception {
throw new Exception("Missing hostname");
}

String unsecurePort = cmd.getOptionValue("unsecure-port", "8080");
String unsecurePort = cmd.getOptionValue("unsecure-port");
String securePort = cmd.getOptionValue("secure-port", "8443");
boolean domainManager = cmd.hasOption("domain-manager");
boolean clone = cmd.hasOption("clone");
Expand All @@ -114,7 +114,11 @@ public void execute(CommandLine cmd) throws Exception {
content.putSingle("type", type);
content.putSingle("name", hostID);
content.putSingle("host", hostname);
content.putSingle("httpport", unsecurePort);

if (unsecurePort != null) {
content.putSingle("httpport", unsecurePort);
}

content.putSingle("sport", securePort);
content.putSingle("agentsport", securePort);
content.putSingle("adminsport", securePort);
Expand Down
6 changes: 6 additions & 0 deletions docs/changes/v11.5.0/Server-Changes.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,9 @@ A new `pki_ds_url` parameter has been added for `pkispawn` to replace the follow
* `pki_ds_ldap_port`
* `pki_ds_ldaps_port`
* `pki_ds_secure_connection`

== Add pki_http_enable parameter ==

A new `pki_http_enable` parameter has been added for `pkispawn`
to enable/disable the plain HTTP connector in `server.xml`.
The default value is `True`.